Annvix:Project TODO/2.1

2.1 Roadmap

This page is a scratchboard of ideas for 2.1-CURRENT that we should aim to accomplish for this release. For now this is an un-ordered list; we can assign priorities later.

• provide better documentation on the website (styled like a user's guide manual)
• drop RSBAC and integrate grsec instead (this might require a kernel upgrade, however)
• provide default AppArmor policies and make AppArmor installed per default
  • packages provide their own AppArmor policies as configuration files?
• drop openswan kernel patches (investigate something simpler like openvpn as a viable alternative to ipsec; as well, doesn't the 2.6 kernel have it's own ipsec support? do we even still need openswan?)
• audit packages to remove useless/frivolous patches
• apply more hardening patches... many visits to the openwall CVS for this
• possibly re-write srv to use sv to do the heavy lifting
  • re-do or drop dependency handling -- right now it's iffy at best
• enable logfile reporting as part of rsec -- use swatch for this?
• make sure config files in /etc/ (i.e. /etc/init.d, /etc/sysconfig/*, etc.) are appropriately owned (root:admin, 0640, etc.)
• make builder optionally sign rpm packages it produces
• make builder maintain a cache of old packages (that can be cleaned), but keep only newly built packages in the repository (i.e. if joe exists and a user creates joe again, both joe packages aren't in the repository) -- make cache cleaning with a certain threshold (i.e. delete packages in the cache older than xx days)
• make builder's home /var/builder instead of /usr/local/ports
• evaluate default-created user accounts; some may not be required and are legacy Mandrake: i.e. adm, lp, sync, shutdown, halt, news, operator (as per tim scott)
• harden mount flags, i.e. /proc could be mounted nosuid, and so could /dev/pts I think
• double-check pam_limits settings
• verify there is no mysql "anonymous" account
• drop the mysql test databases
• PaX support? (might get this "free" when we use grsec)